If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

serious UDP activity originating from port 53

I hope i posted this in the right place.. don't neg me if I didn't.

Some background: I'm using windows ME on a cable modem which appears to be static IP, at least it's stayed the same since I got the broadband about a week ago. I've had a firewall in place since the first day (maybe 4 hours without one) and I'm using AVG anti-virus with the latest updates to the virus definitions and nothing comes up infected after a complete scan.

In the space of a little under 2 hours I received about 30-40 udp packets all originating from port 53 targeting my ports starting at about 3500 and went upwards though not sequentially to about 4500 however the 2nd to last packet originated from 137 targeting 137 and the last packet originated from 1039 targeting my port 53. The originating name for this IP is ns6.attbi.com.

I start to put the pieces together a little bit after some research and this is what i come up with. I assume this to be a nameserver for a local ISP named attbi in California.. i checked out their website http://www.attbi.com/ . Why would a nameserver halfway across the country keep sending me packets, or are they legitimate. I don't think it could have gotten me confused for an authoritative nameserver or any other nameserver for that matter. I tried reading the RFC on DNS but it was very dry and more theoretical than the actual implementation, at least the parts that I grasped. I was under the impression that DNS doesn't normally talk to you unless you initiate the connection. It's the last 2 packets that make me scratch my head. 137 is netbios-ns then it tries MY 53. I'm definitely not running a nameserver of any sort or any services for that matter.

My partly-educated guess is that its a scan of some nature, either a worm or an owned box. But I wanted to hear other's opinion before I mailed their sysadmin and looked like a fool in case it was legitimate activity. So needless to say I'm a little confused. Any opinions on this?

Sounds like someone hax0red the the Attbi's name server and then used it for their own purposes, in this case port scanning around, likely trying to find other computers with vulnerabilities. Those kind of port scans aren't looked well by any ISP so feel free to report that, although I'm pretty sure they must've noticed this themselves if they keep even one eye in the log files sometimes. Include a part of your firewall's log file and some other data like the exact date and time if they're not in the log. Be polite and don't blame Attbi, just tell the facts and ask clearification.

In short, this attack (or "attack") was most likely not targeted at you or anyone else individual and you're safe if your firewall was and is running (with high enough settings).

it's time to eat crow.

Well, I really don't like to admit to my own carelessness but I think I should in this case.

Sometimes I forget the old rule "Keep It Simple, Stupid" My paranoia got the best of me. I wondered where all these udp hits were coming from that I had never recieved before so I automatically assume "Cracker or Script Kid". Normally, if I get a probe from a machine it doesn't really bother me unless it's repeated. This time i got about 30 hits so it set off a few warning buzzers. So i start doing some checking around and generally wasting my time. To make a long story short, when I woke up today (sleep is a reset switch, it helps greatly to clarify problems) I had the bright idea to try to actually check to see what MY nameserver was and SURE enough the machine that all the packets originated from was my nameserver. It never dawned on me to check this first, why I don't know. I can make excuses but excuses don't really serve much of a purpose. Why it sent packets to my 137 and 53 not originating from 53 I'm not sure about but I'll consign it to "Things to figure out later", perhaps some redundancy routines on the nameserver's part.
This whole episode reminds me of when I put my first box together from scratch.. I Got everything plugged in and ready to go, hit the switch and nothing happened. After a few minutes of tearing my hair out I realized that I didn't connect the MB wire to the power switch and voila everything was OK.
thanks to everyone who posted their opinions on this matter.

So now it's time for my double helping of crow. Anybody got any catsup?